Posts

How to find all users that have been granted a specific role in MongoDB with MongoChef

In this tutorial, we will see how to easily find all users that have been granted a specific role in MongoDB with MongoChef.

In MongoDB, users are defined for specific databases. Each user is then assigned a number of roles that in turn define the user’s privileges.

While MongoDB’s API makes it trivial to list all roles that a particular user has been granted, there is unfortunately no easy way for the reverse case where you want to find all users that have been granted a particular role, i.e. the role’s grantees.

Luckily, MongoChef makes it very easy to find those users.

List MongoDB Roles

First off, connected to your MongoDB server as a user that has sufficient privileges to manage users and roles.

Then, simply select the database that contains the role for which you want to find all grantees, and click the “Roles” icon in the toolbar.

MongoDB GUI for Role Management

Inspect Selected MongoDB Role

This will open the roles management tab for this database. Here, you can see all the built-in and user-defined roles created for the database.

Now, simply select the role for which you want to see all the users that have been granted that role. In our case, that is the user-defined role “rwAdmin”.

Then click the “Edit” button.

MongoDB GUI Manage MongoDB Roles

This opens the edit dialog for the select role.

By default, In the “Granted To” tab, you can see all grantees from the same database that the role is defined in.

In our case, that is natalie, paul, peter, and richard.

If you want to see all users from all databases that have been granted role “rwAdmin”, click the “Refresh for all DBs” button.

Show MongoDB Users with a MongoDB Role

That’s it! You can now see all users from all databases that have been granted the role “rwAdmin” on our database “test”.

Modify MongoDB Role

In this view, you can now even conceptually add new users to this role. For this, click the “Add” button.

Grant MongoDB Role

In the new dialog, you can choose users from any database that you want to add to the role. Of course, users in MongoDB are not really added to a role. Rather, under the hood, the selected users will be granted the role instead. Click “Add” to add the selected users.

Assign MongoDB Role to Multiple MongoDB Users

How to grant roles to multiple users at once in MongoDB with MongoChef

In MongoDB, users are defined for specific databases. Each user is then assigned a list of roles that in turn define the user’s privileges.

Not surprisingly, MongoDB’s API therefore makes it easy to assign a user a list of roles via the grantRolesToUser method:

db.grantRolesToUser( "<username>", [ <roles> ], { <writeConcern> } )

However, MongoDB’s role API (http://docs.mongodb.org/v2.6/reference/method/js-role-management/) doesn’t directly cover another common use case where you want to assign a (maybe newly created) role or multiple roles to a list of users in one go.

Luckily, MongoChef makes it very easy to assign roles to multiple users at once. Let’s consider the following example. Say you have just created a new role “rwAdmin” on database “test” that makes users dbAdmins on that database and also let’s them read from and write to it. You now want to assign this new role and the existing role “userAdmin” to a group of users.

1) Connect to your MongoDB server as a user that has sufficient privileges to grant roles to users, select the database where your users are defined, and click the “Users” icon in the toolbar to open the user management tab for that database.

MongoDB GUI Manage MongoDB Users

2) You will now see a list of all your users in the selected database. Simply select all users that you want to grant those roles to and click the “Grant Roles…” button.

Grant Roles to MongoDB Users

3) Now, select from the list of available roles those that you want to grant to your list of selected users, and click “Grant”.

Manage MongoDB Roles with a GUI

4) That’s it! You can verify that those two roles were indeed granted to the group of selected users. Voilà :-)

View MongoDB Users and Roles with a GUI